Manhunt for ATM robbers kicks off

BANGKOK: A manhunt is under way with police investigators suspecting the theft of more than B12 million from the state-run Government Savings Bank (GSB) is the work of Eastern European criminals and may be linked to the multiple attacks on ATMs of a major domestic bank in Taiwan in July.

An employees shuts down the network and posts paper 'out-of-service' notices after cyber-thieves armed with malware got ATMs to spew 12 million baht in cash like a casino jackpot. Photo: Bangkok Post / Wichan Charoenkiatpakul

After covering up the thefts for two weeks, GSB on Tuesday (Aug 23) shut down half of its ATMs after discovering some were infected with malware that forced them to dispense millions of baht in cash in what is the country’s first recorded case of its kind.

Assuring the thefts, which took place during Aug 1-8, have not affected customer accounts, GSB president Chartchai Payuhanaveechai said the gang targeted 21 ATMs in at least six provinces and made off with B12 million.

He said the bank has reviewed security camera footage and identified potential suspects as foreign nationals who infected the ATMs with malware that forced the machines to dispense banknotes.

“Their method involves stealing from the bank ATMs, not from customers’ accounts,” he said.

According to Mr Chartchai, the gang singled out ATMs manufactured by ATM giant manufacturer, NCR, for the attacks. So, the bank shut down about 3,300 “stand-alone” ATM machines from this maker indefinitely, until it has improved security measures to avoid further damage.

GSB has about 7,000 ATMs nationwide from three manufacturers.

However, another 600 NCR ATM machines in front of its bank branches are still functional, he said, adding that customers can use the ATMs of other commercial banks in the same area without having to pay intra-bank fees during the shutdown.

Mr Chartchai said the bank has asked the ATM maker to develop a software to counter the malware attacks and is negotiating with the firm to pay for the damages.

Pol Gen Panya Mamen, a senior police adviser, said these are the first reported malware attacks on ATMs in Thailand. Similar attacks have been reported in Malaysia and Taiwan where ATMs were cleaned out.

Based on security footage, he said police believe there are about 25 people involved in the series of thefts and they are divided into two to three teams.

He said the gang chose to empty the ATMs after midnight and spent some time stealing, so he urged members of the public who may have witnessed the thefts to come forward.

Mr Chartchai and other banking executives were quick to cite the July attacks on Taiwan ATMs, but “jackpotting” cash-dispensing machines is well known and has occurred around the world.

The technique of spotting vulnerable ATM networks, injecting malware and forcing the machines to spew out cash was demonstrated at a hackers’ conference in Las Vegas in 2010,and has been reported almost regularly since.

Barnaby Jack, a legendary US hacker and security expert, showed how certain ATMs on certain networks could be manipulated. Because the attackers needed no ATM card to drain the machine, he called the exploit jackpotting because it was like winning a jackpot at a slot machine in a casino.

At least half a dozen types of malware and dozens of variants have been detected since then.

Pol Gen Panya said the thieves likely studied the infrastructure of the targeted ATMs and the bank’s system for some time. Police are closely monitoring ATMs that might be vulnerable.

He added the bank’s system is unable to detect such irregularities and the bank would not suspect anything until an actual count of cash.

The hard disks of the targeted ATMs have been sent by police for examination at McAfee.

He said the Metropolitan Police Bureau, the Central Investigation Bureau, the Economic and Cyber Crime Division, and Police Region 7 and Police Region 8 will meet on Friday to follow up on the investigation.

Pol Lt Gen Nathathorn Prousoontorn, chief of the Immigration Bureau, said the bureau has sent alerts about two possible suspects captured by security cameras to immigration checkpoints.

He said immigration authorities have also been sent to check out venues where eastern European nationals live, and they are coordinating with Russian authorities for assistance.

A source said the gang had hacked into the bank’s system several times and lured them into thinking it was a false alarm before they installed the malware at an ATM of GSB in Phang Nga during March-April.

According to the source, the tampering was detected but it was ignored due to prior false alarms.

To steal the money, the gang inserted an electronic card into the ATMs which forced them to release as many as 40 banknotes per withdrawal. Normally, the number of banknotes released in a withdrawal is capped at 20.

The source said the bank is working with the manufacturer of the targeted ATMs to figure out which malware was used. The theft could be linked to the one in Taiwan in July when malware programmes triggered withdrawals of almost B100 million.

According to the source, three suspects were arrested in connection with the thefts in Taiwan and they said there were 30 of them targeting ATMs across the country.

A source at the Royal Thai Police said Tuesday the GSB filed a complaint about the thefts with the Economic and Cyber Crime Division on Aug 9.